Security researchers have warned for many years that failure to digitally sign and validate the low-level firmware found in computers can lead to damaging compromises that are very hard to detect and fix.

While the computer industry has made some progress in this area, especially when it comes to the Unified Extensible Firmware Interface (UEFI) in modern computers, new research shows that many peripheral manufacturers have not adopted modern firmware validation principles.

Researchers from security firm Eclypsium have found computer components with unsigned firmware or improper signature validation in laptops from major manufacturers, as well as in servers. The identified devices included a network interface chipset widely used in servers, a common laptop WiFi adapter, a trackpad, a full HD camera and an internal USB hub.

While these are technically peripheral devices because they communicate with the CPU over the USB or PCI interfaces, from a user perspective they are an integral part of the computers they're found in. In most cases they cannot be removed or replaced without specialised tools and advanced technical knowledge about computer hardware internals as some of these chips are soldered onto the motherboard from factory.

How firmware updates

When most users think of computer firmware, they think of the UEFI, which is the modern equivalent of the BIOS. This low-level software stored in a flash memory chip (EPROM) on the motherboard handles the hardware initialisation during the booting process and starts the operating system (OS) installed on the hard drive.

Think of it as a mini operating system that performs a limited set of functions and gets the hardware ready before the end-user OS takes over.

While the UEFI can be viewed as the overall platform's firmware, most of the individual components inside computers also have their own firmware. Hard-disk drives (HDDs) and solid-state drives (SSDs) have firmware, wireless and Ethernet chipsets have firmware, sound and graphics cards have firmware, and even the CPU has so-called microcode, a set of instructions burned into its silicon during the manufacturing process.

The OS talks to the peripheral components through system drivers that rely on the firmware to perform the various hardware functions. It gets even more complicated.

Some components have a flash memory chip so their firmware is persistent, though it can often be updated from inside the operating system using the manufacturer's utilities. Other peripherals, however, don't have persistent storage, so a firmware image for them is shipped as part of the driver package and is loaded dynamically into memory every time the OS is booted.

This raises a question of who and at what stage should validate firmware updates and ensure that they come from the component manufacturer and are properly signed. As Eclypsium found, sometimes the industry does not have a clear answer.

If these firmware updates methods are not secured, hackers can exploit them to upload modified firmware images that hijack or misuse the targeted component's functionality for malicious purposes. Such modifications would be very hard to detect and would persist.

Researchers take control of firmware

The Eclypsium researchers found that the firmware update mechanism for the touchpad and TrackPoint components used in the Lenovo ThinkPad X1 Carbon 6th Gen laptops does not use cryptographic signature verification. This allowed the researchers to modify the firmware and run malicious code inside the components.

The Lenovo ThinkPad X1 Carbon is a popular business laptop and the touchpad and trackpoint used in the analysed model were made by Synaptics, one of the largest manufacturers of such components. Because of this, the researchers believe other laptops, including models from other vendors, that use the same trackpad, are also affected.

Furthermore, according to Eclypsium, Lenovo indicated that Synaptics does not have a way to correct this issue in the current generation of the affected components.

A similar situation was found with the HP Wide Vision FHD camera used in the HP Spectre x360 Convertible 13-ap0xxx laptop. The HP Wide Vision FHD camera uses an USB camera controller produced by a company called Sunplus Innovation Technology (SunplusIT), which supplies such components to many laptop manufacturers.

A camera update package supplied by HP included a Windows-based firmware update tool created by SunplusIT along with a firmware image that had no cryptographic signature or other authenticity validation. Furthermore, the update tool did not require elevated privileges to run, so firmware updates could be applied from a normal user account.

The researchers were able to load a modified firmware image that changed the camera's USB descriptors, forcing it to identify itself to the OS as a different type of USB device--for example, a USB keyboard that could be automated to send malicious inputs. HP told Eclypsium that it's working on a firmware update and that future camera generations will have signed firmware.

The researchers also managed to modify the firmware of the WiFi adapter in a Dell XPS 15 9560 laptop. This adapter, called Killer Wireless n/a/ac 1535, is produced by a company called Rivet Networks and uses a Qualcomm chip, highlighting the complex relationships in the PC supply chain.

Furthermore, the firmware for this chip is provided by Qualcomm and is loaded as part of the digitally signed driver. The firmware image itself is also digitally signed. However Windows only checks the signature during the installation phase and every time the driver itself is loaded, but not the firmware image.

As a result, if the firmware image loaded by the driver is replaced with a modified one that does not have a digital signature, the driver will still load it and Windows will still load the driver, which remains digitally signed.

"We reported this issue to both Qualcomm, who provides the chipset and driver for the Killer Wireless card and to Microsoft, who checks that such drivers are signed," the Eclypsium researchers said.

"Qualcomm responded that their chipset is subordinate to the processor, and that the software running on the CPU is expected to take responsibility for validating firmware. They stated that there was no plan to add signature verification for these chips. However, Microsoft responded that it was up to the device vendor to verify firmware that is loaded into the device."

The researchers looked at the Linux Vendor Firmware Service, a portal that allows hardware vendors to upload firmware updates to be distributed to Linux computers. The portal has a list of update protocols and an indication of whether they are signed.

One of those listed as not signed is for VLI USB Hub, a USB hub produced by VIA Labs that is also used in PCI expansion cards to extend the number of available USB ports in a computer.

Finally, the last analysed component was a network interface controller (NIC) that uses the Broadcom BCM5719 chipset, which is commonly found in server products from multiple manufacturers and does not validate the firmware using cryptographic signatures.

The researchers also chose this chipset because several open-source projects attempt to reimplement its firmware, which is normally closed source, making it much easier to modify.

The researchers demonstrated an attack and even made a video where they used modified firmware to gain access to the network traffic from the Baseband Management Controller (BMC). The BMC is a separate chip found in servers that runs its own firmware and allows out-of-band management even when the operating system is turned off.

In some configurations, the BMC and the host OS are configured to use the same physical network connection, but this appears as two different network adapters with separate MAC addresses.

The goal is for the OS to never see the BMC traffic, as the BMC in general should be completely isolated and independent from the host OS. The researchers were able to violate that boundary with their modified firmware.

"Using this approach, we can inspect the contents of BMC network packets, provide those contents to malware running on the host, or even modify BMC traffic on the fly," they said.

"This could also be used to block alerts sent from the BMC to a central logging server, selectively redirect them to a different server, copy and send traffic to a remote location for analysis, as well as make outgoing network connections to a remote command and control server directly from the NIC itself without the host or BMC being aware that any of this is happening."

Why does firmware validation matter?

What can be achieved with firmware attacks varies based on the type of compromised component. For example, a compromised touchpad can send malicious inputs, a compromised camera can potentially be used to spy on users, a compromised NIC can be used intercept or modify network traffic, and a compromised HDD can be used to create hidden storage. All this could be catalogued as abuse of the device's intended functionality.

However, as shown by Eclypsium's research, many peripherals can also be tricked into acting as other types of devices, extending their functionality or changing how they present themselves to the operating system.

Furthermore, some of these compromised components can gain kernel level access and take full control of the system. PCI devices in particular have Direct Memory Access (DMA). This is a feature in modern computers that allows a peripheral device to use and modify the system memory directly, bypassing the operating system. DMA attacks have been demonstrated over the years and even open-source tools have been created for this purpose.

In one way or another, a compromised peripheral can be used as a persistence mechanism for malware infections. This is very powerful because malicious firmware will survive OS reinstallation. In some cases, malicious firmware can even be designed to block all future firmware updates, meaning the component will remain compromised permanently.

Firmware attacks are a blindspot for most organisations. It is very hard to detect them at the software level, and it's hard to perform forensics investigations without removing the physical chips and dumping the code stored on them using special flash memory reading devices. Some security vendors, including Eclypsium, are trying to cover that gap by developing firmware monitoring solutions.

The likelihood of firmware attacks

Various firmware attacks have been documented over the years in the wild and others have been demonstrated by researchers at conferences as proof of concepts. One example of in-the-wild attacks was a malware module developed by the Equation Group, which is believed to be the NSA, that was capable of modifying the firmware of over a dozen HDD models from different manufacturers.

Networking giant Cisco Systems also found malware in the wild that was capable of infecting the boot firmware (ROMMON) of Cisco IOS routers, but a small number of compromises and victims were identified, suggesting it was a targeted attack.

The BlackEnergy attack that caused a power blackout in Ukraine in December 2015 involved attackers modifying the firmware of serial-to-ethernet controllers used by power substations, and the Triton malware that caused an emergency shutdown at Saudi Arabia's national oil company Saudi Aramco in 2017 was able to reprogram Triconex safety instrumented system (SIS) controllers.

The Vault7 leaks of 2017 documented some of the CIA's cyber espionage capabilities and revealed several firmware implants. One codenamed Sonic Screwdriver involved modifying the firmware of Apple Thunderbolt-to-Ethernet adapters, which could then be used to deliver an implant codenamed Der Starke that infected the EFI firmware of Mac computers.

The documents also revealed Cherry Blossom, a modified firmware that could be deployed on many wireless router models for espionage.

The commonality of all these attacks is that they were all launched by sophisticated, likely nation-state level attackers with access to specialised knowledge about the internals of particular hardware devices. Furthermore, the attacks affected a small number of victims, so they were highly targeted.

It's believed that developing and launching firmware attacks requires a significant investment and comes with various obstacles. The attackers need to have deep knowledge about the devices they're targeting, often exploiting functionality that is not publicly documented or is only found in service manuals.

They need advanced reverse-engineering skills to modify firmware that is usually closed source and proprietary. In many cases, they also need to obtain privileged access to the targeted systems because updating firmware often requires administrator permissions, so they need to include other exploits in the attack chain.

However, Eclypsium's new research shows that these limitations don't always apply to computer peripherals and that they can be easily overcome. Some of the firmware for these components have open-source implementations and even if they don't, there is now a wealth of public knowledge and tools for reverse engineering firmware.

Malicious firmware can be flashed using publicly available manufacturer tools, some of which don't even require elevated privileges to run because in some cases end-users applications can communicate with these components as part of their normal operation.

Even if administrative access is required to update firmware, privilege escalation vulnerabilities are not uncommon in operating systems and some even originate in the system drivers that these components use.

Some of the vulnerable peripherals that don't validate firmware are widely used in computers from multiple manufacturers because they're created by original design manufacturers (ODMs) that control a big share of their respective market segments.

"The bar is continuing to lower over time," Rick Altherr, principal engineer at Eclypsium, tells CSO. "Is it more challenging than developing a typical software-based malicious action in the OS? Yes, but there are different trade-offs.

"The main thing that you gain by going to the firmware level is persistence that is deeper than the operating system and you also gain a level of difficulty in detecting that implant or infection. So, while it's certainly more difficult to perform [a firmware attack] the actual depth of attack can be quite stronger.

"What we're seeing is a significant growth in these types of attacks as the security landscape continues to evolve, Altherr said. "As the OS mitigations for running malicious software continues to grow, there's a shift towards moving into firmware to perform similar types of actions."

Industry action needed

According to Altherr, the complex supply chain relationships between ODMs that make components and OEMs that integrate them into their end-user products such as laptops, make resolving this issue difficult. First, the Eclypsium researchers believe the signature checks should be implemented at the device level, not at the OS or driver level, so it should be the ODM's responsibility.

"You could have a privilege escalation from an administrative process into the kernel, and if the kernel is the thing that's verifying the signature before it puts firmware into the device, that's not fully secure," Jesse Michael, principal researcher at Eclypsium, tells CSO.

"It really needs to be the device itself that is doing the signature verification and a number of vendors have produced more intelligent devices where they actually are doing the signature verification in the device, but a number of ODMs are not moving in that direction yet."

Altherr believes that users, both businesses and consumers, should become aware of this issue and consider it in their purchasing decisions. This would put pressure on PC makers to provide firmware validation in their products, which would in turn force component suppliers to implement such mechanisms in their devices.

"We know how to implement signed firmware updates in secure systems," Altherr says. "The primitives for doing this have been in place for a long time. They've been illustrated well in various segments.

"Certainly, attacks happen against them, but there's a lot of well-trodden space that shows how to do at least the basics well, and those are things that the ODMs have been reluctant to do. That's one aspect of it: Today customers aren't asking for it. So, the OEMs are saying: 'Well, nobody's asking for it. Why should I do this?'."

Related Whitepapers

Copyright 2020 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.